enc device parser

Carter Bullard carter at qosient.com
Wed Dec 29 14:47:42 EST 2010


Hey Mike,
Argus doesn't support all the known DLTs that have been created, but adding one is trivial.
So you'd like to see support for DLT_ENC?  I can put it in if you're willing to test it.
Do you have any packets captured from the interface that I can use for preliminary testing?

Carter


On Dec 29, 2010, at 2:32 PM, mike tancsa wrote:

> Has anyone hacked together a parser for the *BSD enc device in Argus?
> 
> http://www.freebsd.org/cgi/man.cgi?query=enc&apropos=0&sektion=4&manpath=FreeBSD+8.1-RELEASE&format=html
> 
> 
> It basically allows IPSEC ESP traffic to be examined as if it were
> coming through an interface
> 
> 
> doing a tcpdump looks like
> 
> # tcpdump -s0  -ni enc0
> tcpdump: WARNING: enc0: no IPv4 address assigned
> tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
> listening on enc0, link-type ENC (OpenBSD encapsulated IP), capture size
> 65535 bytes
> 13:57:17.620542 (authentic,confidential): SPI 0x0b380f2d: IP 64.7.134.1
>> 205.211.165.1: IP 192.168.0.12.54283 > 10.11.12.1.1010: S
> 258377009:258377009(0) win 65535 <mss 1452,nop,wscale 3,sackOK,timestamp
> 1264553963 0> (ipip-proto-4)
> 13:57:17.720371 (authentic,confidential): SPI 0x04b2cfa0: IP
> 10.11.12.1.1010 > 192.168.0.12.54283: S 724245143:724245143(0) ack
> 258377010 win 8192 <mss 1380,nop,wscale 0,nop,nop,timestamp 14697561
> 1264553963>
> 
> 13:57:17.720383 (authentic,confidential): SPI 0x04b2cfa0: IP
> 205.211.165.1 > 64.7.134.1: IP 10.11.12.1.1010 > 192.168.0.12.54283: S
> 724245143:724245143(0) ack 258377010 win 8192 <mss 1380,nop,wscale
> 0,nop,nop,timestamp 14697561 1264553963> (ipip-proto-4)
> 13:57:17.763928 (authentic,confidential): SPI 0x0b380f2d: IP 64.7.134.1
>> 205.211.165.1: IP 192.168.0.12.54283 > 10.11.12.1.1010: . ack 1 win
> 8208 <nop,nop,timestamp 1264554108 14697561> (ipip-proto-4)
> 
> 
> 	---Mike
> 
> 

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3815 bytes
Desc: not available
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20101229/efd05879/attachment.bin>


More information about the argus mailing list